CVE-2023-34251

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.42

Description The issue allows for server-side template injection, which can lead to remote code execution. This can be achieved by embedding malicious PHP code on the administrator screen by a user with page editing privileges. The vulnerability exploits the system function in the Twig template engine, allowing an attacker to execute arbitrary system commands.

Recommendations For Grav versions prior to 1.7.42, update to version 1.7.42 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator screen and the edit functionality for users with page editing privileges until the update can be applied.